Embodiments of the inventive subject matter generally relate to the field of computing systems, and, more particularly, to detecting key logging activity in computing systems.
A key logger is a program that covertly monitors and records a users key strokes on a keyboard. The recorded key strokes can be sent to a third party, or saved for retrieval by a third party. Key loggers can be a particularly nefarious manifestation of malware, because they can enable an attacker to easily gather a large amount of sensitive information without the need to defeat encryption. Besides the ability to collect credentials (username/password combinations) without having to obtain access to (and crack) password databases, they can potentially collect account numbers, transcripts of confidential documents as they are typed, and other sensitive data prior to them being encrypted.
It can be difficult to detect the presence of a key logger on a system. Antivirus and other antimalware products that attempt to detect key loggers typically work by searching for signatures of known malware (“threat signatures”). There is often a lag between the creation of new malware and its appearance in an anti-virus signature database. Further, it is often not difficult for a savvy attacker to disguise the signature to avoid detection. Forensic software may allow for detection of key logging activity in post-mortem memory dumps, but it is infeasible to perform such analysis on a regular or ongoing basis.